Detailed description of the impact of this finding.
There are several functions in AstariaRouter.sol that have the modifier payable. If a user sends native tokens (ETH) to the contract, then they will be locked in the contract forever since there is no function to withdraw such native tokens.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
There are several functions in AstariaRouter.sol that have the modifier payable. If a user sends native tokens (ETH) to the contract, then they will be lost forever since there is no function to withdraw such native tokens.
These functions include:
mint()
deposit()
withdraw()
4 redeem()
pullToken()
Tools Used
Remix
Recommended Mitigation Steps
Remove the modifier payable from these functions so that one can never send native tokens (ETH) to the contract.
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/AstariaRouter.sol#L155
Vulnerability details
Impact
Detailed description of the impact of this finding. There are several functions in
AstariaRouter.sol
that have the modifierpayable
. If a user sends native tokens (ETH) to the contract, then they will be locked in the contract forever since there is no function to withdraw such native tokens.Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. There are several functions in
AstariaRouter.sol
that have the modifierpayable
. If a user sends native tokens (ETH) to the contract, then they will be lost forever since there is no function to withdraw such native tokens. These functions include:Tools Used
Remix
Recommended Mitigation Steps
Remove the modifier
payable
from these functions so that one can never send native tokens (ETH) to the contract.